The FDA's Center for Devices and Radiological Health regulates medical devices, including AI/ML-enabled Software as a Medical Device (SaMD). The challenge for AI/ML is that a model retrained on new data is functionally a modified device, and historically each modification could require a new submission. The April 2019 AI/ML SaMD discussion paper opened the conversation about a more iterative approach that recognised the adaptive nature of learning systems.
The January 2021 FDA AI/ML Action Plan committed to a Predetermined Change Control Plan (PCCP) framework as one of its core deliverables. In December 2024 the FDA finalised 'Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions' (draft April 2023), making PCCP the operative mechanism for managing model updates within the existing SaMD regime.
PCCP changes the operating model. Manufacturers describe a pre-approved envelope, the Modification Protocol, of allowed model updates together with the controls and testing that bound each update. Within the envelope, no new submission is required. Outside it, a new 510(k), De Novo or PMA still applies. The pathway choice depends on risk classification and predicate availability.
The intended use statement defines what the device is for and which patient population it serves. SaMD classification (Class I, II or III) drives the submission pathway and the documentation set. The presence of AI/ML does not change that hierarchy: it changes the contents of the file.
A description of the planned modifications, the data used to make them, the methods, the acceptance criteria and the testing that demonstrates the modified version remains safe and effective. The protocol bounds what can change without a new submission, and what falls outside that envelope.
Continuous monitoring of model performance against the intended use and patient population, with documented thresholds for action and a defined response. Required as part of the PCCP and as part of standard post-market surveillance obligations under 21 CFR Part 803 and Part 822.
The September 2023 cybersecurity guidance applies in full to AI/ML-enabled devices, with explicit Secure Product Development Framework expectations, SBOM and vulnerability management. Cyber and AI safety overlap heavily in the model supply chain and the data pipeline.
Design controls, software lifecycle, risk management aligned to ISO 14971, data governance and traceability. AI/ML adds expectations around data curation, training and validation set discipline, version control on weights and code, and reproducibility of model builds.
The intended user, contraindications, limitations and the role of human oversight must be clearly labelled. Human factors engineering under IEC 62366 applies where the user interface mediates clinical decisions and where the user must interpret model outputs.
Premarket review, post-market surveillance and enforcement for medical devices including AI/ML-enabled SaMD.
Inspections and enforcement; routine and for-cause inspections of medical device manufacturers.
International Medical Device Regulators Forum; coordinates regulator dialogue on AI/ML in SaMD.
The December 2024 final PCCP guidance is the most consequential FDA AI policy document to date. It is implementing guidance rather than a regulation: it sets out the FDA's current thinking and the contents the FDA expects to see in a submission. The fda.gov landing page is the canonical reference, not secondary commentary.
AI/ML devices reach the US market through the standard SaMD pathways. The pathway depends on risk classification under 21 CFR Part 860 and the availability of a substantially equivalent predicate device. PCCP layers on top of the pathway and does not replace it.
The FDA has separately published lists of authorised AI/ML-enabled medical devices and intends to update them periodically. The intent is transparency about which devices have been authorised. The list itself is a reference resource, not a source for invented case studies or comparative claims.
| Adjacent rule | How it interacts |
|---|---|
| 21 CFR Part 820 (Quality System Regulation) | The QSR sets quality system expectations for medical device manufacturers. AI/ML adds requirements on training and validation data governance, traceability and version control on model artefacts, but does not displace the core QSR controls on design, production, complaint handling and CAPA. |
| HIPAA Privacy, Security and Breach (HHS-OCR) | AI/ML devices that process PHI require HIPAA safeguards. The device manufacturer and the deploying clinical organisation share obligations through Business Associate Agreements; minimum-necessary access, encryption and audit logging apply throughout the model lifecycle, including retraining. |
| Section 1557 of the Affordable Care Act | The 2024 HHS-OCR final rule extends non-discrimination duties to patient care decision support tools, including algorithms and AI used by covered entities. Clinical AI/ML used by US healthcare providers operates inside both FDA SaMD expectations and Section 1557 obligations on the deploying entity. |
| EU MDR and EU AI Act | EU-market access requires MDR conformity assessment, and high-risk AI/ML in medical devices simultaneously falls under the EU AI Act. Annex IV technical documentation aligns substantially with MDR technical documentation, but the regimes are formally distinct and both must be satisfied. |
| ISO 14971 risk management for medical devices | ISO 14971 risk management remains the foundation. AI/ML-specific failure modes such as concept drift, distribution shift and adversarial inputs are folded into the risk file and the residual-risk evaluation as part of the standard process, not as a parallel discipline. |
“The biggest practical change with PCCP is cultural: model updates become a planned, bounded engineering discipline rather than a new submission every time. That only works if the Modification Protocol is honest about what is and is not in scope.”
No. PCCP is optional and works best for devices with planned, bounded model updates that can be characterised in advance. Devices with no expected modifications, or with modifications that cannot be specified up front, follow the standard SaMD pathway and submit a new 510(k), De Novo or PMA for material changes.
No, it is FDA implementing guidance. It sets out the FDA's current thinking and the content the FDA expects to see in submissions; the underlying legal authority remains the Federal Food, Drug, and Cosmetic Act and the implementing regulations in 21 CFR.
They run in parallel. EU-market access requires MDR conformity assessment plus EU AI Act compliance for high-risk medical AI; US-market access requires FDA SaMD authorisation. The underlying technical files overlap substantially, but the two regimes are formally separate and both apply to a device sold in both markets.
The FDA expects sufficient information about training and validation data to assess the device's safety and effectiveness for the intended use and patient population. That includes data provenance, demographic characteristics and selection methodology. Submitting full raw training datasets is not typically required as a deliverable.
8 to 16 weeks to a production-ready artefact set: PCCP Modification Protocol where applicable, evaluation harness, real-world performance monitoring plan, cybersecurity documentation and a full audit pack mapped to FDA, ISO/IEC 42001 and NIST AI RMF expectations.
AI/ML-enabled medical devices are regulated as SaMD by the FDA's CDRH through the 510(k), De Novo and PMA pathways. The December 2024 final PCCP guidance lets manufacturers pre-approve a bounded envelope of model modifications without a new submission for each retraining cycle. Manufacturers build a Modification Protocol, real-world performance monitoring, cybersecurity controls and a QSR-aligned quality system. EU MDR and the EU AI Act run in parallel for EU-market devices. Moweb delivers the full artefact set in 8 to 16 weeks, partner-led and fixed fee.